Merge "SELinux policy for on-device signing binary."
This commit is contained in:
Martijn Coenen
Gerrit Code Review
commit
9e794114b2
8 changed files with 63 additions and 0 deletions
|
|
@ -60,6 +60,9 @@
|
||||||
nfc_logs_data_file
|
nfc_logs_data_file
|
||||||
odrefresh
|
odrefresh
|
||||||
odrefresh_exec
|
odrefresh_exec
|
||||||
|
odsign
|
||||||
|
odsign_data_file
|
||||||
|
odsign_exec
|
||||||
people_service
|
people_service
|
||||||
persist_vendor_debug_wifi_prop
|
persist_vendor_debug_wifi_prop
|
||||||
power_debug_prop
|
power_debug_prop
|
||||||
|
|
|
||||||
|
|
@ -38,6 +38,10 @@ allow dex2oat apex_module_data_file:dir search;
|
||||||
# Allow dex2oat to use file descriptors passed from odrefresh.
|
# Allow dex2oat to use file descriptors passed from odrefresh.
|
||||||
allow dex2oat odrefresh:fd use;
|
allow dex2oat odrefresh:fd use;
|
||||||
|
|
||||||
|
# Allow dex2oat to use devpts and file descriptors passed from odsign
|
||||||
|
allow dex2oat odsign_devpts:chr_file { read write };
|
||||||
|
allow dex2oat odsign:fd use;
|
||||||
|
|
||||||
# Allow dex2oat to write to file descriptors from odrefresh for files
|
# Allow dex2oat to write to file descriptors from odrefresh for files
|
||||||
# in the staging area.
|
# in the staging area.
|
||||||
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
|
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
|
||||||
|
|
|
||||||
|
|
@ -277,6 +277,7 @@ neverallow {
|
||||||
domain
|
domain
|
||||||
# art processes
|
# art processes
|
||||||
-odrefresh
|
-odrefresh
|
||||||
|
-odsign
|
||||||
# others
|
# others
|
||||||
-apexd
|
-apexd
|
||||||
-init
|
-init
|
||||||
|
|
@ -287,6 +288,7 @@ neverallow {
|
||||||
domain
|
domain
|
||||||
# art processes
|
# art processes
|
||||||
-odrefresh
|
-odrefresh
|
||||||
|
-odsign
|
||||||
# others
|
# others
|
||||||
-apexd
|
-apexd
|
||||||
-init
|
-init
|
||||||
|
|
|
||||||
|
|
@ -44,3 +44,6 @@ type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
||||||
# /data/font/files
|
# /data/font/files
|
||||||
type font_data_file, file_type, data_file_type, core_data_file_type;
|
type font_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
||||||
|
# /data/misc/odsign
|
||||||
|
type odsign_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
|
||||||
|
|
@ -363,6 +363,7 @@
|
||||||
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
|
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
|
||||||
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
|
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
|
||||||
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
|
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
|
||||||
|
/system/bin/odsign u:object_r:odsign_exec:s0
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
# Vendor files
|
# Vendor files
|
||||||
|
|
@ -588,6 +589,7 @@
|
||||||
/data/misc/net(/.*)? u:object_r:net_data_file:s0
|
/data/misc/net(/.*)? u:object_r:net_data_file:s0
|
||||||
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
|
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
|
||||||
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
|
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
|
||||||
|
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
|
||||||
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
|
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
|
||||||
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
|
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
|
||||||
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
|
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,10 @@ allow fsverity_init fsverity_init:key { view search write };
|
||||||
# Allow init to write to /proc/sys/fs/verity/require_signatures
|
# Allow init to write to /proc/sys/fs/verity/require_signatures
|
||||||
allow fsverity_init proc_fs_verity:file w_file_perms;
|
allow fsverity_init proc_fs_verity:file w_file_perms;
|
||||||
|
|
||||||
|
# Read the on-device signing certificate, to be able to add it to the keyring
|
||||||
|
allow fsverity_init odsign:fd use;
|
||||||
|
allow fsverity_init odsign_data_file:file { getattr read };
|
||||||
|
|
||||||
# When kernel requests an algorithm, the crypto API first looks for an
|
# When kernel requests an algorithm, the crypto API first looks for an
|
||||||
# already registered algorithm with that name. If it fails, the kernel creates
|
# already registered algorithm with that name. If it fails, the kernel creates
|
||||||
# an implementation of the algorithm from templates.
|
# an implementation of the algorithm from templates.
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,10 @@ domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
|
||||||
# Run dexoptanalyzer in its own sandbox.
|
# Run dexoptanalyzer in its own sandbox.
|
||||||
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
|
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
|
||||||
|
|
||||||
|
# Use devpts and fd from odsign (which exec()'s odrefresh)
|
||||||
|
allow odrefresh odsign_devpts:chr_file { read write };
|
||||||
|
allow odrefresh odsign:fd use;
|
||||||
|
|
||||||
# Do not audit unused resources from parent processes (adb, shell, su).
|
# Do not audit unused resources from parent processes (adb, shell, su).
|
||||||
# These appear to be unnecessary for odrefresh.
|
# These appear to be unnecessary for odrefresh.
|
||||||
dontaudit odrefresh { adbd shell }:fd use;
|
dontaudit odrefresh { adbd shell }:fd use;
|
||||||
|
|
|
||||||
41
private/odsign.te
Normal file
41
private/odsign.te
Normal file
|
|
@ -0,0 +1,41 @@
|
||||||
|
# odsign - on-device signing.
|
||||||
|
type odsign, domain;
|
||||||
|
|
||||||
|
# odsign - Binary for signing ART artifacts.
|
||||||
|
typeattribute odsign coredomain;
|
||||||
|
|
||||||
|
type odsign_exec, exec_type, file_type, system_file_type;
|
||||||
|
|
||||||
|
# Allow init to start odsign
|
||||||
|
init_daemon_domain(odsign)
|
||||||
|
|
||||||
|
# Allow using persistent storage in /data/odsign
|
||||||
|
allow odsign odsign_data_file:dir create_dir_perms;
|
||||||
|
allow odsign odsign_data_file:file create_file_perms;
|
||||||
|
|
||||||
|
# Create and use pty created by android_fork_execvp().
|
||||||
|
create_pty(odsign)
|
||||||
|
|
||||||
|
# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
|
||||||
|
allowxperm odsign apex_art_data_file:file ioctl {
|
||||||
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
|
||||||
|
};
|
||||||
|
|
||||||
|
# talk to keymaster
|
||||||
|
hal_client_domain(odsign, hal_keymaster)
|
||||||
|
|
||||||
|
# For ART apex data dir access
|
||||||
|
allow odsign apex_module_data_file:dir { getattr search };
|
||||||
|
|
||||||
|
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
|
||||||
|
allow odsign apex_art_data_file:file { rw_file_perms unlink };
|
||||||
|
|
||||||
|
# Run odrefresh to refresh ART artifacts
|
||||||
|
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
|
||||||
|
|
||||||
|
# Run fsverity_init to add key to fsverity keyring
|
||||||
|
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
|
||||||
|
|
||||||
|
# Neverallows
|
||||||
|
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
|
||||||
|
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
|
||||||
Loading…
Reference in a new issue